There’s a renewed weapon of malware destruction in the
fields of war, and it goes by the name “Machete.” A targeted attack campaign
that kicked off in 2010 and now boasts an improved infrastructure, Machete has
mostly hit victims in Ecuador and Venezuela, with a smattering of victims in
other countries from the U.S. to Malaysia. Some of those affected are reportedly
military and intelligence organizations, embassies, and government agencies.

Machete is
cyber-espionage malware that can log keystrokes, capture audio from a
computer’s microphone, grab geolocation data, and copy files to a remote server
or even to a special USB device, among other things.

In its 2014 Application Usage and
Threat Report, Palo Alto Networks shared their finding that hackers are
using old-school exploit techniques in new ways and in new places. Their
research found that common network applications such as FTP, RDP, SSL, NetBIOS,
and UDP are being used as gateways or pivot points to communicate directly with
endpoints for the purpose of data exfiltration.

The company’s analysis showed that nearly all threat
activity was visible in only a small number of applications, and that “nearly
99 percent of all malware logs were generated by a single threat across a
single application: unknown UDP.” UDP has become the command-and-control
channel for botnets as a safe place to “hide in plain sight,” with the ZeroAccess botnet
generating the heaviest amount of malware activity.

The most recent Verizon Data Breach Investigations Report (DBIR) revealed that crimeware is a serious problem for the construction, information, and utilities industries, representing over 30 percent of incidents. Among the most devilish in the ransomware trojan category is CryptoLocker.

How CryptoLocker Works
CryptoLocker arrives as a ZIP file attached to a seemingly innocent email. Once unzipped, the malware installs its payload in the user profile folder, adds a key to the registry to initiate run on startup, then starts phoning home to a command-and-control server. After connection, the server pushes out a 2048-bit RSA key pair and sends the public key back to the computer, encrypts files across local hard drives and mapped network drives with the public key, and logs each encrypted file to a registry key. At that point, the user gets a message that his or her files have been encrypted and a Bitcoin ransom is demanded.

So the Heartbleed bug within OpenSSL has caused a big ruckus this week. OpenSSL is one of the most widely used encryption software programs on the planet—and rightly so. This means that most of us—we billions of users of some of the most highly trafficked and trusted retail, search, and web services sites—may have unwittingly allowed our passwords and other sensitive information to be compromised within the last couple of years or so with absolutely no idea that this was happening.

So how did this vulnerability go undetected for the past year and a half by the legions of volunteer experts who have access to the code? Isn't open-source software meant to be more secure because it has such unlimited availability for review by the best of the best?

There’s a new hack in town, and the U.S. Secret
Service calls it “Unlimited Operation.” Targeting ATMs belonging to small-
and medium-sized banks, the hackers use stolen credentials to log in to the ATM
systems’ remote admin panels and change the cash withdrawal limits to
“Unlimited.” They then use stolen debit cards to withdraw as much cash as possible—sometimes
more than victims actually have in their accounts.

You will never see an alert from your security information
and event management (SIEM) tool for a zero-day attack. There is no signature in your blacklist for
the malware that was custom-built for your organization and secretly colonized
your mail server a month ago. No indicator, no pattern match, no alert.

Why is this the case? Because malware is constantly
morphing, and because the sophisticated and dedicated minds under those black
hats are working night and day to design a data breach specifically for each
organization it decides to invade. When it hits you, it will be the first time
its signature has ever been seen.

The critical point, however, is that
the malware that was undoubtedly designed specifically for Target is probably already
morphing into something unrecognizable by those signature-based tools for the
next organization being drawn into the hackers’ crosshairs. Each organization
that is hit with a form of this malware in the future will be on the receiving
end of its own, customized attack for which no signature can be created.

Manning, Snowden, Wikileaks… Recent headlines have made the
dangers of insider threats for federal agencies even more of a flashing red
light than before. The risk of intentional data breaches is a critical problem,
but certainly not the only one. The latest report from the Ponemon Institute,
the 2013
Cost of Cyber Crime Study: United States, found that more than one third of
all data security breaches at government agencies are caused accidentally by internal employees. Intentional
or not, both are problematic.

Human error as
insider threat

A study by the Privacy
Rights Clearinghouse noted not long ago that government agencies have
experienced a steady rise in data breaches caused by employees over the last
four years. In addition, employee negligence caused over 150 breaches and the
loss of more than 92.5 million records since January 2009.

Despite most corporations’ robust perimeter security solutions,
advanced persistent threats may already have evaded perimeter detection and be
lying in wait for some future launch date. Of even more concern is the fact
that some of the barbarians who are already past the gate may not be Ukrainian
hackers, they may be someone working at a neighboring desk.

Insider Threats:
There is something you can do

Some methods for dealing with insider threats are exercised
by managers with good people skills and the ability to spot early signs of
attitude or work-satisfaction issues. However, the best source of raw intelligence
on potential threats in the modern enterprise is found directly at the
endpoints such as laptops and servers—the targets of most serious
information-security threats.

While organizations are still
relying heavily on log management or SIEM platforms, only a small percentage
are confident about their ability to analyze large data sets for security
trends, according to the newly released SANS
Security Analytics Survey.

Guidance Software recently co-sponsored
the survey with Hewlett-Packard, Hexis Cyber Solutions (a KeyW Company),
LogRhythym, and SolarWinds on awareness and use of analytics and intelligence
to augment current monitoring practices.

Just in time for the Department of Homeland Security’s National
Cyber Security Awareness Month, Guidance Software has unleashed one of the
most powerful weapons in the war against security risks--EnCase® Analytics. In
fact, we announced the general
availability of EnCase Analytics just yesterday. This is big news for
information security, incident response, and risk and compliance teams, because
EnCase Analytics gives you something you could never get before: an early look
at previously unknown and difficult-to-detect threats through the use of “big
data” analytical techniques. It does this by analyzing the reams of data
generated by your users’ endpoint activity, producing for the first time a clear
picture of organization-wide security risk—both internal and external.

Here is the problem: The delay between a breach, developing
a defense and sharing the solution can take months, if not longer. Why the
delay? Because the good guys do not share enough information. The black hats
are aggressively sharing techniques and new approaches. Thus, we applaud
anything that the government can do to encourage exchange of information on cybersecurity
threats and new methods employed by hackers and other cyber-criminals.

Sandy Lii The well-known military general and strategist Sun Tzu said it best in The Art of War, “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” In today’s war against cybersecurity threats, two types of enemy have been classified: known threats and unknown threats.

The known threats, true to their name, are tracked by their known and readily available signatures and are typically stopped by perimeter security solutions such as antivirus software, firewalls, or SIEM (security information and event management) systems. While these tools are necessary and can be effective at stopping known threats, the unknown threats--the ones with no defined modi operandi or signatures--remain at large within organizations, lurking undetected, waiting for the right moment to strike. Sometimes, these threats can even be a careless or disgruntled employee.

When thinking about corporate security teams, we often conjure up the image of a large group of people with state-of-the-art technology, monitoring end-users’ every action, 24x7 around the clock. The reality is, corporate security teams are often under-staffed and can barely keep up with just reacting to the threats that have already surfaced, let alone looking at all the endpoints in Big Data scale.

And as much as I live and dream Big Data, I cannot deny that without analytics, Big Data is just noise. Regardless of the sources and richness of the data, Big Data in itself does not provide big insights. That said, you would think almost every organization would embark on the journey to Big Data analytics to improve operations and enterprise security. The reality is, the desire to do Big Data analytics is often extinguished by these challenges: